Bugzilla – Bug 1194866
VUL-0: python-onionshare: multiple CVEs fixed with 2.5
Last modified: 2022-05-02 10:15:30 UTC
CVE-2022-21688: Out-of-bounds Read: The desktop application was found to be vulnerable to denial of service via an undisclosed vulnerability in the QT image parsing https://github.com/onionshare/onionshare/security/advisories/GHSA-x7wr-283h-5h2v CVE-2022-21690 Improper Input Sanitation: The path parameter of the requested URL is not sanitized before being passed to the QT frontend https://github.com/onionshare/onionshare/security/advisories/GHSA-ch22-x2v3-v6vq CVE-2022-21689 Denial of Service: The receive mode limits concurrent uploads to 100 per second and blocks other uploads in the same second, which can be triggered by a simple script https://github.com/onionshare/onionshare/security/advisories/GHSA-jh82-c5jw-pxpc CVE-2022-21691 Improper Access Control: Chat participants can spoof their channel leave message, tricking others into assuming they left the chatroom https://github.com/onionshare/onionshare/security/advisories/GHSA-w9m4-7w72-r766 CVE-2022-21692 Improper Access Control: Anyone with access to the chat environment can write messages disguised as another chat participant https://github.com/onionshare/onionshare/security/advisories/GHSA-gjj5-998g-v36v CVE-2022-21693 Improper Hardening: The filesystem restriction could be hardened and should only allow for pre-defined subfolders https://github.com/onionshare/onionshare/security/advisories/GHSA-jgm9-xpfj-4fq6 CVE-2022-21695 Improper Access Control: Authenticated users (or unauthenticated in public mode) can send messages without being visible in the list of chat participants https://github.com/onionshare/onionshare/security/advisories/GHSA-99p8-9p2c-49j4 CVE-2022-21694 Broken Website Hardening Control: The CSP can be turned on or off but not configured for the specific needs of the website https://github.com/onionshare/onionshare/security/advisories/GHSA-h29c-wcm8-883h CVE-2022-21696 Improper Input Sanitation: It is possible to change the username to that of another chat participant with an additional space character at the end of the name string https://github.com/onionshare/onionshare/security/advisories/GHSA-68vr-8f46-vc9f
@Alex: I saw you are not the bugowner, if you want to re-assign the bug to someone else please go ahead.
Hello Robert, (In reply to Robert Frohl from comment #1) > @Alex: Axel.... > I saw you are not the bugowner, if you want to re-assign the bug to > someone else please go ahead. I dont mind adding some more bug owner to this. Whom do you suggest? BTW, there is a to-do for the maintenance team open on onionshare - see boo#1191311
(In reply to Axel Braun from comment #2) > Hello Robert, > > (In reply to Robert Frohl from comment #1) > > @Alex: > > Axel.... Sorry about that, should have payed better attention :( > > > I saw you are not the bugowner, if you want to re-assign the bug to > > someone else please go ahead. > > I dont mind adding some more bug owner to this. Whom do you suggest? I will see if someone is interested. > BTW, there is a to-do for the maintenance team open on onionshare - see > boo#1191311 I think this is in a dead lock at the moment. These dependency updates are hard to change.
(In reply to Robert Frohl from comment #3) > (In reply to Axel Braun from comment #2) > > > > > I saw you are not the bugowner, if you want to re-assign the bug to > > > someone else please go ahead. > > > > I dont mind adding some more bug owner to this. Whom do you suggest? > > I will see if someone is interested. Thomas would be interested to help out with python-onionshare. He is new with SUSE and is looking to gain some experience with package maintenance. If you agree we can add him as a maintainer/bugowner. I would also show him how to do a version bump for this issue if you agree and show him how the general process works.
Hi Robert, yes, please continue, and welcome Thomas! I did an upgrade in https://build.opensuse.org/package/show/home:DocB:branches:devel:languages:python/python-onionshare but still struggeling with failed tests. Thomas is more than welcome to look into this Thanks!
(In reply to Axel Braun from comment #5) > Hi Robert, > yes, please continue, and welcome Thomas! > I did an upgrade in > https://build.opensuse.org/package/show/home:DocB:branches:devel:languages: > python/python-onionshare > but still struggeling with failed tests. > Thomas is more than welcome to look into this > Thanks! ok, we will also go through the whole normal process together and try to fix the build.
Any update here?
https://build.opensuse.org/request/show/957507 should fix this
Except it depends on python-cepa, which is quite problematic. https://lists.opensuse.org/archives/list/python@lists.opensuse.org/thread/OKZGYK7DUHF4QZSX7YV6SZZ5PZ6YHUYF/ If somebody wants to recover this mess (either porting python-onionshare to using python-stem, or fixing python-cepa to be acceptable for openSUSE), then she is very welcome.
This is an autogenerated message for OBS integration: This bug (1194866) was mentioned in https://build.opensuse.org/request/show/967749 Factory / python-onionshare
version 2.5 is in TW - for Leap I do not expect an update, as Python 3.6 is not supported any more